Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Procedures and documented procedures
Do we have to make procedures for all below controls?
A 8.2.2 labeling of info
A 8.2.3 handling of assets
A 8.3.1 mgt of removable media
A 8.3.2 disposal of media
A 9.4.2 secure log-on procedures
A 11.1.5 working in secure areas
A 12.5.1 installation of software on operational system
A 13.2.1 info transfer policy & proc
A 14.2.2 system change control
A 15.2.2 managing changes to supplier services
A 16.1.1 responsibilities and proc
A 16.1.5 response to information security incident (done)
A 16.1.7 collection of evidence
A 17.1.2 info sec continuity
A 18.1.2 intellectual property rights
As in the explanation of all these controls, its mentioned that we need to create some procedures
Answer:
Yes, you are right you need procedures for these controls, but this does not mean that you need a document. A procedure is the way that you have to perform an activity, and the documented procedure is the procedure written in a document. It is only mandatory to have a document in the controls (and clauses) where you can read The organization shall document , so for example is mandatory to have a document for the A.16.1.5 and for the A.17.1.2. Here you can see the list of mandatory documents and records of ISO 27001:2013 (and non-mandatory) List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
This article can be also interesting for you "Explanation of the basic terminology in ISO standards" : https://advisera.com/27001academy/blog/2015/01/12/explanation-of-the-basic-terminology-in-iso-standards/ -
Health and Safety Policy
Can I add a Health and Safety Policy to the ISO 27001 toolkit. There is not currently such a policy listed
Answer:
Yes, sure, you can add it, although it is not necessary for the implementation of the ISO 27001 (because of this, it is not included in our toolkit). Here you can see a list of mandatory documents and records List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
And you can buy our Health and Safety Policy here (you can see a free version clicking on "Free Demo" tab) : https://advisera.com/18001academy/documentation/ohs-policy/ -
Options to treat risks associated with a project
how can i determine and describe options to treat risks associated with a project
Answer:
Generally, there are 4 general options for the treatment of any type of risk: Apply controls (or actions) to reduce the risk, transfer the risk, avoid the risk or accept the risk. For more information, maybe this article can be interesting for you Risk Treatment Plan and risk treatment process Whats the difference? : https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment
Finally, remember that the Annex A of ISO 27001:2013 has the control A.6.1.5 Information security in project management, which is related to the integration of the information security with project management activities, and there are several ways for this: including information security objectives in project activities, perform a risk assessment in an early stage of the project, perform treatment of the identified risks (4 options above), etc. So this article can be also interesting for you How to manage sec urity in project management according to ISO 27001 A.6.1.5 : https://advisera.com/27001academy/what-is-iso-27001/ -
Qualitative and quantitative risk assessment methodologies
Name few Qualitative and Quantitative Risk Assessment methodologies in the market which i could use for implementation ISO 27001.
Answer:
Examples of Qualitative Risk Assessment methodologies can be CRAMM, OCTAVE, NIST 800-30, while examples of quantitative Risk Assessment methodologies can be PILAR, or SOMAP.
Have you seen our methodology? It is based on qualitative method (more easy). Here you can see a free version clicking on Free Demo tab Risk Assessment and Risk Treatment Methodology : https://advisera.com/27001academy/documentation/Risk-Assessment-and-Risk-Treatment-Methodology/
ISO 27005 is a code of best practices for risk management, and the appendices provide guidance on using qualitative and quantitative approaches, so maybe can be interesting for you. You can buy and download it from the official site of iso.org : https://www.iso.org/standard/56742.html
Finally, this article can be also intere sting for you "How to write ISO 27001 risk assessment methodology" : https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/ -
Survey to interested parties
I'm looking for questions to prepare a survey to interested parties to provide feedback on the ISMS. To get feedback from interested parties (9.3 ISMS Management Review) we are planning to create a survey. Do you have a template or suggestions on a good set of questions?
Answer:
No I am sorry, we do not have this template. Anyway, you can perform questions related to your ISMS and each interested party: Have you identified and established requirements for the ISMS? Have you identified any weakness in our ISMS? Any improvement? Any threat/vulnerability that we do not have identified in our risk management yet? Have you identified any new asset in your business/area/department that is related to our ISMS? Do you have access to our Information Security Policy? Etc.
This article related to interested parties can be interesting for you How to identify interested parties according to ISO 27001 and ISO 22301 : https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301// -
Unique Risk Management Framework for ISO 27001, ISO 22301 and ISO 9001
Can we have single Risk Management Framework to meet the requirements of ISO27001, ISO22301 and ISO9001:2015. I am aware and have experience in ISO27001 Risk Management Requirements. But how can we enhance it to cover ISO22301 and ISO9001 as the ISO9001 also requires Risk Management to followed.
Answer:
Yes, from my point of view you can have an unique Risk Management Framework for ISO 27001, ISO 22301 and ISO 9001, but considering differences between these standards, because for example can be considered different risks in ISO 27001 (information security), ISO 22301 (business continuity), and ISO 9001 (quality). But you can define general steps: Establish the context, Risk identification, risk analysis, risk evaluation, risk treatment, etc (although the details can be very different: the identification of risk in information security is very different that in quality)
This article can be interesting for you Can ISO 27001 risk assessment be used for ISO 22301? : https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#section22
By the way, ISO 31000 is a guide of best practices for the risk management, and you can use it for any type of risk. You can download and buy this standard from the official site of iso.org : https://www.iso.org/standard/43170.html
This article can be also interesting for you ISO 31000 and ISO 27001 How are they related? : https://advisera.com/27001academy/blog/2014/03/31/iso-31000-and-iso-27001-how-are-they-related/ -
Setting Active Directory
Yes this is related to AD computer's, what setting do they need to become complaint for ISO 27002.
I need all the specfic setting for both Linux and Windows. For example what file permissions like 600 for /etc/shadow file in linux and what registry setting do all the computers that all windows machines needs to be. I need specfic details for this. So when I conduct a pre-inspection I know what to look for.
Answer:
You need to be compliant with ISO 27001:2013, ISO 27002 is only a code of best practices, so you can only certify ISO 27001. To be compliant with ISO 27001 there are many requirements that you need to implement, but you can do it technically like you want. For example, the control of the Annex of ISO 27001:2013 "A.9.2.1 User registration and de-registration: A formal user registration and de-registration process shall be implemented to enable assignment of access rights. You can implement it with Active Directory or OpenLdap, or any other LDAP software. The external auditor will verify if you have implemented the contr ol, and he can ask you how it is implemented (can also give you some tips to improve the control), but nothing more.
Anyway, from my point of view permissions like 600 (or 400 for only read) for the /etc/shadow file in Linux is a best practice, although I think that can be better if you also encrypt the hard drive (and the same for Windows) and set a BIOS password.
And if you have Linux and Windows systems, can be a good idea to add Linux systems to the Windows domain, and include Linux users in the AD.
Finally, remember that the Access Control Policy is a mandatory document in ISO 27001 (you can see the entire list of mandatory documents here List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/) , so maybe this template can be interesting for you (you can see a free version clicking on Free Demo tab) Access Control Policy : https://advisera.com/27001academy/documentation/access-control-policy/ -
IRCA or RABQSA
I finally did the five day ISO 27001 Lead Auditor course in June in the UK with IT Governance (https://www.itgovernance.co.uk/) and passed.
But I have just come to realise is that the course and my certificate is accredited by IBITGQ - the International Board for IT Governance Qualifications and not IRCA or RABQSA.
What does this mean in terms of my certificate?
Answer:
This simply means that IRCA or RABQSA have more international presence and their accreditations are better valued, but anyway, from my point of view the important here is that you have passed the ISO 27001 Lead Auditor course. It is also important the entity that issues the certificate, but generally the knowledge that you learn in a course accredited by IBITGQ should be the same that the knowledge that you learn in a course accredited by IRAC or RABQSA.
This article can be interesting for you Qualifications for an ISO 2700 1 Internal Auditor : https://advisera.com/27001academy/blog/2015/03/30/qualifications-for-an-iso-27001-internal-auditor/ -
Costs of the implementation
how to derive the budget required for the implementation?
Answer:
There are some possible parameters that you can consider for the implementation, for example cost of external assistance, cost of technology, cost of employees time, etc. This article can be interesting for you How much does ISO 27001 implementation cost? : https://advisera.com/27001academy/blog/2011/02/08/how-much-does-iso-27001-implementation-cost/ -
Updating existing information security policies
Answer:
ISO 27001 is not only about security policies, so this task can't be made just by improving your policies without doing the prior analysis. The whole logic of ISO 27001 is based on risk assessment, which means once you know where your risks are then you can start writing the documents and implement the controls that will mitigate those risks.
If you're not particularly satisfied with your existing documents, than it might be easier to write completely new documents - in such case our templates will certainly help you.
Here you'll find the details on this topic:
The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/